CVE-2026-3336
📋 TL;DR
A certificate validation bypass vulnerability in AWS-LC's PKCS7_verify() function allows unauthenticated attackers to bypass certificate chain verification when processing PKCS7 objects with multiple signers. This affects applications using AWS-LC that process PKCS7 objects. AWS service customers are not affected, but applications using AWS-LC directly must take action.
💻 Affected Systems
- AWS-LC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could impersonate trusted entities, intercept encrypted communications, or bypass authentication mechanisms by presenting maliciously crafted PKCS7 objects.
Likely Case
Man-in-the-middle attacks where attackers intercept and modify PKCS7-signed data without proper certificate validation.
If Mitigated
Limited impact if applications have additional validation layers or don't process untrusted PKCS7 objects.
🎯 Exploit Status
Requires crafting specific PKCS7 objects with multiple signers. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.69.0
Vendor Advisory: https://github.com/aws/aws-lc/security/advisories/GHSA-cfwj-9wp5-wqvp
Restart Required: Yes
Instructions:
1. Download AWS-LC version 1.69.0 from GitHub releases. 2. Replace existing AWS-LC installation with new version. 3. Recompile any applications that link against AWS-LC. 4. Restart affected services.
🔧 Temporary Workarounds
Disable PKCS7 processing
allTemporarily disable PKCS7 object processing in applications if not required
Implement additional certificate validation
allAdd custom certificate validation logic before calling PKCS7_verify()
🧯 If You Can't Patch
- Implement network segmentation to limit exposure of affected systems
- Monitor for unusual PKCS7 processing activity and implement strict input validation
🔍 How to Verify
Check if Vulnerable:
Check AWS-LC version using ldd or dependency checking tools. If version is below 1.69.0 and application uses PKCS7_verify(), it is vulnerable.Check Version:
ldd --version | grep aws-lc or check application's linked librariesVerify Fix Applied:
Verify AWS-LC version is 1.69.0 or higher and test PKCS7 verification with multiple signers.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validations for PKCS7 objects
- Unexpected PKCS7 processing errors
Network Indicators:
- Unusual PKCS7 object transmissions
- Certificate validation bypass attempts
SIEM Query:
search for 'PKCS7_verify' errors or certificate validation failures in application logs